SuperCare, a home care service provider in California, reached a $2.25 million settlement with the 318,379 patients impacted by a 2021 systems hack, one year after the breach victims first filed the lawsuit.
If finalized, the proposed settlement would require SuperCare to make enhancements to its cybersecurity and business practices, resolving claims the provider’s inadequate security program caused the incident and violated Federal Trade Commission and The Health Insurance Portability and Accountability Act regulations in the process.
SuperCare will also provide a year of credit monitoring to breach victims. Impacted patients who file a claim are eligible to receive a cash payment of $100, while a second tier of individuals may be able to claim up to $2,500 as reimbursement of out-of-pocket expenses tied to the incident.
Reimbursement applies to up to four hours for time individuals spent responding to issues that directly tied to the data breach, or up to $25 per hour.
The lawsuit accused SuperCare of violating the FTC Act by failing to maintain reasonable and appropriate security for member’ personal information, or an “unfair practice” and violated HIPAA by failing to timely notify, failing to “protect against reasonably anticipated threats,” and failing to comply with the rule.
The two lawsuits were filed against SuperCare in April 2022, just two weeks after the provider reported a systems hack. The breach notice was issued more than eight months after the incident was discovered, far outside of the 60-day requirement outlined in HIPAA.
SuperCare discovered a four-day hack on July 27, 2021, and deployed mitigation to stop the attack. The investigation found the actors accessed the network and patient data, including contact details, dates of birth, health insurance details, testing, diagnostic data, treatments and other sensitive information. For a smaller subset of patients, Social Security numbers and driver’s licenses were also impacted.
The lengthy investigation and wording of the notice were key components of the lawsuits, including the lack of explanation for why impacted individuals were notified long after the hack was discovered. The notice “was not just untimely but woefully deficient, failing to provide basic details,” according to the suits.
SuperCare also didn’t offer “to provide affected individuals with adequate credit monitoring service or compensation for the damages they have suffered as a result of the breach,” the lawsuits argued.
Patients weren't told how the unauthorized access was gained, whether patient data was encrypted before the attack, how the hack was discovered, what systems were affected, and whether the servers containing patient data were accessed, according to the suits.
Further, the hack was caused as a “direct result” of a “failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect” patient data.
Under the settlement, SuperCare is required to conduct penetration testing and a risk assessment to identify vulnerabilities, then use the information to apply necessary security measures. Notably, HIPAA mandates providers to perform risk assessments as part of compliance.
SuperCare must also replace its “previous Endpoint Detection & Response (EDR) solution with a new managed EDR tool on all systems and update its soft authentication for a multi-factor authentication tool, as well as implement a cloud-based identity and access management system and add further restrictions corporate service and resource access.
The provider must also increase its network segmentation and update its end user cybersecurity awareness training.
A final hearing is scheduled for Aug. 28.